[Pkg-samba-maint] Bug#483410: Bug#483410: CVE-2008-1105: Boundary failure when parsing SMB responses can result in a buffer overrun
Christian Perrier
bubulle at debian.org
Thu May 29 20:42:18 UTC 2008
Quoting Christian Perrier (bubulle at debian.org):
> > You should prepare an upload with distribution stable-security, urgency
> > high, and upload it to:
> >
> > <ftp://security-master.debian.org/pub/SecurityUploadQueue>
>
> OK, that upload is ready.
Uploaded.
I attached a debdiff with the former version in etch...
-------------- next part --------------
diff -u samba-3.0.24/debian/patches/series samba-3.0.24/debian/patches/series
--- samba-3.0.24/debian/patches/series
+++ samba-3.0.24/debian/patches/series
@@ -31,0 +32 @@
+security-CVE-2008-1105.patch
diff -u samba-3.0.24/debian/changelog samba-3.0.24/debian/changelog
--- samba-3.0.24/debian/changelog
+++ samba-3.0.24/debian/changelog
@@ -1,3 +1,11 @@
+samba (3.0.24-6etch10) stable-security; urgency=high
+
+ * debian/patches/security-CVE-2008-1105.patch: fix a heap overflow
+ when parsing SMB responses in client code. (CVE-2008-1105)
+ Closes: #483410
+
+ -- Christian Perrier <bubulle at debian.org> Wed, 28 May 2008 20:32:04 +0200
+
samba (3.0.24-6etch9) stable-security; urgency=high
* debian/patches/security-CVE-2007-6015.patch: fix a remote code
only in patch2:
unchanged:
--- samba-3.0.24.orig/debian/patches/security-CVE-2008-1105.patch
+++ samba-3.0.24/debian/patches/security-CVE-2008-1105.patch
@@ -0,0 +1,187 @@
+commit 7e191387d64de2c965fc2c999bc7d1ccf4aae010
+Author: Gerald W. Carter <jerry at samba.org>
+Date: Wed May 28 07:30:19 2008 -0500
+
+ Security: Patche for CVE-2008-1105.
+
+ -- Summary --
+ Specifically crafted SMB responses can result
+ in a heap overflow in the Samba client code.
+ Because the server process, smbd, can itself
+ act as a client during operations such as
+ printer notification and domain authentication,
+ this issue affects both Samba client and server
+ installations.
+
+ Ensure that we specify the buffer size used to store incoming SMB
+ packets. This bug was originally introduced in Samba 2.2.4. Patch from
+ Jeremy Allison.
+
+Index: samba-3.0.24/source/client/client.c
+===================================================================
+--- samba-3.0.24.orig/source/client/client.c
++++ samba-3.0.24/source/client/client.c
+@@ -3230,7 +3230,7 @@
+ session keepalives and then drop them here.
+ */
+ if (FD_ISSET(cli->fd,&fds)) {
+- if (!receive_smb(cli->fd,cli->inbuf,0)) {
++ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) {
+ DEBUG(0, ("Read from server failed, maybe it closed the "
+ "connection\n"));
+ return;
+Index: samba-3.0.24/source/client/smbctool.c
+===================================================================
+--- samba-3.0.24.orig/source/client/smbctool.c
++++ samba-3.0.24/source/client/smbctool.c
+@@ -3304,7 +3304,7 @@
+ session keepalives and then drop them here.
+ */
+ if (FD_ISSET(cli->fd,&fds)) {
+- receive_smb(cli->fd,cli->inbuf,0);
++ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0);
+ goto again;
+ }
+
+Index: samba-3.0.24/source/lib/util_sock.c
+===================================================================
+--- samba-3.0.24.orig/source/lib/util_sock.c
++++ samba-3.0.24/source/lib/util_sock.c
+@@ -654,14 +654,13 @@
+ }
+
+ /****************************************************************************
+- Read an smb from a fd. Note that the buffer *MUST* be of size
+- BUFFER_SIZE+SAFETY_MARGIN.
++ Read an smb from a fd.
+ The timeout is in milliseconds.
+ This function will return on receipt of a session keepalive packet.
+ Doesn't check the MAC on signed packets.
+ ****************************************************************************/
+
+-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
++BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout)
+ {
+ ssize_t len,ret;
+
+@@ -682,25 +681,18 @@
+ return False;
+ }
+
+- /*
+- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
+- * of header. Don't print the error if this fits.... JRA.
+- */
+-
+- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
++ if (len > buflen) {
+ DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
+- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
+
+- /*
+- * Correct fix. smb_read_error may have already been
+- * set. Only set it here if not already set. Global
+- * variables still suck :-). JRA.
+- */
++ /*
++ * smb_read_error may have already been
++ * set. Only set it here if not already set. Global
++ * variables still suck :-). JRA.
++ */
+
+- if (smb_read_error == 0)
+- smb_read_error = READ_ERROR;
+- return False;
+- }
++ if (smb_read_error == 0)
++ smb_read_error = READ_ERROR;
++ return False;
+ }
+
+ if(len > 0) {
+@@ -730,9 +722,9 @@
+ Checks the MAC on signed packets.
+ ****************************************************************************/
+
+-BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
++BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout)
+ {
+- if (!receive_smb_raw(fd, buffer, timeout)) {
++ if (!receive_smb_raw(fd, buffer, buflen, timeout)) {
+ return False;
+ }
+
+Index: samba-3.0.24/source/libsmb/clientgen.c
+===================================================================
+--- samba-3.0.24.orig/source/libsmb/clientgen.c
++++ samba-3.0.24/source/libsmb/clientgen.c
+@@ -42,8 +42,7 @@
+ }
+
+ /****************************************************************************
+- Read an smb from a fd ignoring all keepalive packets. Note that the buffer
+- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
++ Read an smb from a fd ignoring all keepalive packets.
+ The timeout is in milliseconds
+
+ This is exactly the same as receive_smb except that it never returns
+@@ -52,12 +51,12 @@
+ should never go into a blocking read.
+ ****************************************************************************/
+
+-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
++static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout)
+ {
+ BOOL ret;
+
+ for(;;) {
+- ret = receive_smb_raw(fd, buffer, timeout);
++ ret = receive_smb_raw(fd, buffer, bufsize, timeout);
+
+ if (!ret) {
+ DEBUG(10,("client_receive_smb failed\n"));
+@@ -87,7 +86,7 @@
+ return False;
+
+ again:
+- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
++ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);
+
+ if (ret) {
+ /* it might be an oplock break request */
+Index: samba-3.0.24/source/smbd/process.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/process.c
++++ samba-3.0.24/source/smbd/process.c
+@@ -508,7 +508,8 @@
+ goto again;
+ }
+
+- return receive_smb(smbd_server_fd(), buffer, 0);
++ return receive_smb(smbd_server_fd(), buffer,
++ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0);
+ }
+
+ /*
+Index: samba-3.0.24/source/utils/smbfilter.c
+===================================================================
+--- samba-3.0.24.orig/source/utils/smbfilter.c
++++ samba-3.0.24/source/utils/smbfilter.c
+@@ -140,7 +140,7 @@
+ if (num <= 0) continue;
+
+ if (c != -1 && FD_ISSET(c, &fds)) {
+- if (!receive_smb(c, packet, 0)) {
++ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) {
+ d_printf("client closed connection\n");
+ exit(0);
+ }
+@@ -151,7 +151,7 @@
+ }
+ }
+ if (s != -1 && FD_ISSET(s, &fds)) {
+- if (!receive_smb(s, packet, 0)) {
++ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) {
+ d_printf("server closed connection\n");
+ exit(0);
+ }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20080529/90b6fbfe/attachment-0001.pgp
More information about the Pkg-samba-maint
mailing list